HIGH
hwmon PMBus Regulator Race
CVE-2026-31486
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/core) Protect regulator operations with mutex The regulator operations pmbus_regulator_get_voltage(), pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage() access PMBus registers and shared data but were not protected by the update_lock mutex. This could lead to race conditions. However, adding mutex protection directly to these functions causes a deadlock because pmbus_regulator_notify() (which calls regulator_notifier_call_chain()) is often called with the mutex already held (e.g., from pmbus_fault_handler()). If a regulator callback then calls one of the now-protected voltage functions, it will attempt to acquire the same mutex. Rework pmbus_regulator_notify() to utilize a worker function to send notifications outside of the mutex protection. Events are stored as atomics in a per-page bitmask and processed by the worker. Initialize the worker and its associated data during regulator registration, and ensure it is cancelled on device removal using devm_add_action_or_reset(). While at it, remove the unnecessary include of linux/of.h.
02KernelScan AI Analysis
Risk summary
A race condition in PMBus regulator operations could allow concurrent access to shared hardware registers and data structures. This could lead to inconsistent voltage readings, incorrect voltage settings, or system instability in power management. While exploitation requires local access and specific hardware, the impact on power regulation could affect system reliability and potentially cause hardware damage in extreme cases.
Vulnerability analysis
Root Cause: The PMBus regulator operations (pmbus_regulator_get_voltage, pmbus_regulator_set_voltage, pmbus_regulator_list_voltage) access shared PMBus registers and data structures without proper mutex protection. This creates race conditions where concurrent access to these functions can lead to inconsistent state or data corruption.
Attack Surface: This vulnerability affects systems with PMBus hardware monitoring devices that support regulator functionality. The race condition can be triggered through concurrent regulator operations, which could be initiated by kernel subsystems, userspace through sysfs interfaces, or hardware events. The attack surface is primarily local, requiring access to trigger regulator operations.
Fix Mechanism: The patch adds mutex protection (update_lock) around the regulator operations to prevent concurrent access. However, to avoid deadlocks where pmbus_regulator_notify() is called with the mutex already held, the notification mechanism is reworked to use a worker thread. Events are stored atomically in per-page bitmasks and processed asynchronously by the worker outside of mutex protection.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.92 | acf04e286313 |
| 6.18 | 6.18.21 | 4e9d723d9f19 |
| 6.19 | 6.19.11 | 2c77ae315f3c |
| mainline | 7.0 | 754bd2b4a084 |